Freesco, NND, CDN, EOS http://forum.freesco.pl/ |
|
DEBIAN: routing, htb, squid prosba o pomoc http://forum.freesco.pl/viewtopic.php?f=8&t=17349 |
Strona 1 z 1 |
Autor: | TheL [ czwartek, 4 grudnia 2008, 16:15 ] |
Tytuł: | DEBIAN: routing, htb, squid prosba o pomoc |
Witam, dawno mnie tu nie bylo ale pamietam ze tu sa osoby znajace sie na rzeczy dlatego pisze w tym miejscu. Mam Debiana z latkami ipp2p zph itd (mam wszystkie chyba mozliwe i napewno dobrze skompilowane) Siec na 400 osob aktualnie prze jakis czas niestety tylko 2 lacza jedno 8/1 asymetryczne (defaultowe) drugie 21/21 symetryczne okazalo sie ze z pewnych przyczyn musze zmienic cala konfiguracje serwera i zrobilem sobie cos takiego jak nizej jednak wszystko baaaardzo wolno dziala, do tej pory mialem zrobione to inaczej i na innych laczach, dawalem wtedy userom 2 mbps/256kbps teraz tez chcialbym tak zrobic chocby virtualnie (to ma byc na jakis czas) aktywnych userow jest caly czas okolo 40-50 czesc uzywa tylko poczty www i gg ale jest okolo 5-8 sciagajacych gdzie wg Was popelniam blad w konfiguracji, co powinienem zmienic aby to zaczelo dzialac rozsadnie (zmiana lacz w tej chwili z pewnych wzgledow nie wchodzi w gre) kazda rozsadna poroada jest dla mnie wazna powiedzmy ze moge to uruchomic na intelu 2 rdzeniowym z 4 GB ramu, 2 dyski w raid 1 jesli bedzie trzeba doloze ram lub dyski z gory dzieki za pomoc plik routing #!/bin/bash ip link set eth0 down ip link set eth1 down ip link set eth2 down ip addres flush dev eth0 ip addres flush dev eth1 ip addres flush dev eth1 ip link set eth0 up ip link set eth1 up ip link set eth2 up ip addr add 192.168.0.1/24 dev eth0 ip addr add 192.168.1.1/24 dev eth0 ip addr add 192.168.2.1/24 dev eth0 ip addr add 192.168.3.1/24 dev eth0 ip addr add 192.168.4.1/24 dev eth0 ip addr add xx.xx.xx.xx/27 dev eth1 ip addr add yy.yy.yy.yy/29 dev eth2 echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter echo 1 > /proc/sys/net/ipv4/ip_forward echo "Laduje zmienne" IF0=eth0 IF2=eth1 IF1=eth2 IP2=xx.xx.xx.xx IP1=yy.yy.yy.yy P2=xx.xx.xx.xy P1=yy.yy.yy.yx P0_NET0=192.168.0.0/24 P0_NET1=192.168.1.0/24 P0_NET2=192.168.2.0/24 P0_NET3=192.168.3.0/24 P0_NET4=192.168.4.0/24 P2_NET=xx.xx.xx.xz/27 P1_NET=yy.yy.yy.yz/29 echo "Etap 1" ip route add $P1_NET dev $IF1 src $IP1 table T1 ip route add default via $P1 table T1 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip route add default via $P2 table T2 echo "Etap 2" ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 echo "Etap 3" ip route add default via $P1 echo "Flush" ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 iptables -A POSTROUTING -t nat -s $P0_NET0 -o $IF1 -j SNAT --to-source $IP1 iptables -A POSTROUTING -t nat -s $P0_NET0 -o $IF2 -j SNAT --to-source $IP2 iptables -A POSTROUTING -t nat -s $P0_NET1 -o $IF1 -j SNAT --to-source $IP1 iptables -A POSTROUTING -t nat -s $P0_NET1 -o $IF2 -j SNAT --to-source $IP2 iptables -A POSTROUTING -t nat -s $P0_NET2 -o $IF1 -j SNAT --to-source $IP1 iptables -A POSTROUTING -t nat -s $P0_NET2 -o $IF2 -j SNAT --to-source $IP2 iptables -A POSTROUTING -t nat -s $P0_NET3 -o $IF1 -j SNAT --to-source $IP1 iptables -A POSTROUTING -t nat -s $P0_NET3 -o $IF2 -j SNAT --to-source $IP2 iptables -A POSTROUTING -t nat -s $P0_NET4 -o $IF1 -j SNAT --to-source $IP1 iptables -A POSTROUTING -t nat -s $P0_NET4 -o $IF2 -j SNAT --to-source $IP2 ip rule add fwmark 69 table T1 ip rule add fwmark 70 table T2 iptables -t mangle -A PREROUTING -p tcp --dport 20 -j MARK --set-mark 70 #FTP iptables -t mangle -A PREROUTING -p tcp --dport 21 -j MARK --set-mark 70 #FTP - transfer iptables -t mangle -A PREROUTING -p tcp --dport 22 -j MARK --set-mark 70 #SSH iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 70 #SMTP - wysylanie poczty iptables -t mangle -A PREROUTING -p tcp --dport 53 -j MARK --set-mark 70 #DNS TCP iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 70 #DNS UDP iptables -t mangle -A PREROUTING -p tcp --dport 110 -j MARK --set-mark 70 #POP3 - odbieranie poczty iptables -t mangle -A PREROUTING -p tcp --dport 143 -j MARK --set-mark 70 #IMAP - odbieranie poczty iptables -t mangle -A PREROUTING -p tcp --dport 220 -j MARK --set-mark 70 #IMAP3 - odbieranie poczty iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 70 #HTTPS iptables -t mangle -A PREROUTING -p tcp --dport 995 -j MARK --set-mark 70 #POP3SSL iptables -t mangle -A PREROUTING -p tcp --dport 8074 -j MARK --set-mark 70 ip route flush cache plik blok-mac - do blokowania mackow iptables -A INPUT -j DROP -m mac --mac-source xx:xx:xx:xx:xx:xx iptables -A FORWARD -j DROP -m mac --mac-source xx:xx:xx:xx:xx:xx plik routing-squid - routing dla squida ip route add default via xx.xx.xx.xx dev eth1 table squid ip rule add from xx.xx.xx.xz/27 table squid ip route flush table squid ip route flush table cache plik tnij - do przycinania ##dodanie imq modprobe imq numdevs=2 ######dynamiczny dostep do lacza - download tc qdisc add dev eth0 root handle 1:1 sfq perturb 10 ######dynamiczny dostep do lacza - upload tc qdisc add dev eth0 root tbf #Download ip link set imq1 up iptables -t mangle -A POSTROUTING -o eth0 -j IMQ --todev 1 tc qdisc del root dev imq1 tc qdisc add dev imq1 root handle 2:0 htb #linijka ponizej jest niepotrzebna a w tej powyzej wystarczy zamiast 2.0 wpisac 2.1 tc class add dev imq1 parent 2:0 classid 2:1 htb rate 9216kbit ceil 16384kbit # sprawdzic przy userach polecenie cburst i burst # sprawdzic priorytety klas prio ####### hashe oznaczaja access pointy ##################################### tc class add dev imq1 parent 2:1 classid 2:2 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:3 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:4 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:5 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:6 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:7 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:8 htb rate 256kbit ceil 2096kbit tc class add dev imq1 parent 2:1 classid 2:9 htb rate 256kbit ceil 2096kbit ... tc class add dev imq1 parent 2:1 classid 2:1017 htb rate 256kbit ceil 2096kbit tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.2 flowid 2:2 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.3 flowid 2:3 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.4 flowid 2:4 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.5 flowid 2:5 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.6 flowid 2:6 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.7 flowid 2:7 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.8 flowid 2:8 tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.0.9 flowid 2:9 ... tc filter add dev imq1 protocol ip parent 2:0 u32 match ip dst 192.168.3.255 flowid 2:1017 tc qdisc add dev imq1 parent 2:2 handle 2:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:3 handle 3:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:4 handle 4:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:5 handle 5:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:6 handle 6:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:7 handle 7:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:8 handle 8:0 esfq perturb 10 tc qdisc add dev imq1 parent 2:9 handle 9:0 esfq perturb 10 ... tc qdisc add dev imq1 parent 2:763 handle 1017:0 esfq perturb 10 #Upload ip link set imq0 up iptables -t mangle -A PREROUTING -i eth0 -j IMQ --todev 0 tc qdisc del root dev imq0 tc qdisc add dev imq0 root handle 2:0 htb tc class add dev imq0 parent 2:0 classid 2:1 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:2 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:3 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:4 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:5 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:6 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:7 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:8 htb rate 265kbit ceil 265kbit tc class add dev imq0 parent 2:1 classid 2:9 htb rate 265kbit ceil 265kbit ... tc class add dev imq0 parent 2:1 classid 2:1017 htb rate 265kbit ceil 265kbit tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.2 flowid 2:2 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.3 flowid 2:3 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.4 flowid 2:4 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.5 flowid 2:5 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.6 flowid 2:6 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.7 flowid 2:7 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.8 flowid 2:8 tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.0.9 flowid 2:9 ... tc filter add dev imq0 protocol ip parent 2:0 u32 match ip src 192.168.3.255 flowid 2:1017 tc qdisc add dev imq0 parent 2:2 handle 2:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:3 handle 3:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:4 handle 4:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:5 handle 5:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:6 handle 6:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:7 handle 7:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:8 handle 8:0 esfq perturb 10 tc qdisc add dev imq0 parent 2:9 handle 9:0 esfq perturb 10 ... tc qdisc add dev imq0 parent 2:762 handle 1017:0 esfq perturb 10 zamiast kropek jest duzo kolejnych linii plik squid.conf http_port 3128 transparent icp_port 0 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF dns_nameservers aa.aa.aa.aa bb.bb.bb.bb maximum_object_size_in_memory 128 KB maximum_object_size 64 MB minimum_object_size 0 KB cache_swap_log /home/cache/cache_swap_log cache_dir diskd /home/cache 6144 12 256 cache_mem 128 MB request_header_max_size 50 KB refresh_pattern -i \.(gif|jpg|jpe|jpeg|png|tiff|swf|html|htm|bmp|css|xml|asp|aspx) 0 50% 7200 reload-into-ims refresh_pattern -i \.(zip|gz|bz2|exe|rar|mp3|mpg|avi|wmv|vqf|ogg) 43200 40% 43200 reload-into-ims refresh_pattern symantecliveupdate.com/.*\.(zip|exe) 43200 100% 43200 reload-into-ims refresh_pattern eset.com/.*\.(nup|ver) 43200 100% 43200 reload-into-ims refresh_pattern avast.com/.*\.(vpu|vpaa) 43200 100% 43200 reload-into-ims refresh_pattern . 0 20% 4320 refresh_pattern (http://.*/$) 0 20% 1440 half_closed_clients off pipeline_prefetch on cache_access_log /dev/null cache_log /var/log/squid/cache cache_store_log /dev/null log_icp_queries off pid_filename /usr/local/squid/var/logs/squid.pid memory_pools off quick_abort_min 0 KB quick_abort_max 0 KB acl admins src "/usr/local/squid/etc/admins" http_access allow admins acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 1025-65535 # pozostale porty acl CONNECT method CONNECT acl apache rep_header Server ^Apache broken_vary_encoding allow apache httpd_suppress_version_string on http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl LAN src 192.168.0.0/24 acl LAN1 src 192.168.1.0/24 acl LAN2 src 192.168.2.0/24 acl LAN3 src 192.168.3.0/24 acl LAN4 src 192.168.4.0/24 acl domena_lokalna dstdom_regex -i .moja.domena acl zle_strony dstdomain "/usr/local/squid/etc/zle_strony" no_cache deny zle_strony acl uploady dstdomain "/usr/local/squid/etc/uploady" acl ruch_ciezki urlpath_regex -i "/usr/local/squid/etc/ruch_ciezki" acl ruch_lekki urlpath_regex -i "/usr/local/squid/etc/ruch_lekki" acl google_maps url_regex -i "/usr/local/squid/etc/google" acl allegro_zdjecia url_regex -i "/usr/local/squid/etc/allegro" acl stream urlpath_regex -i "/usr/local/squid/etc/stream" acl noc time 01:00-08:00 acl za-duzo maxconn 50 http_access deny LAN za-duzo http_access deny LAN1 za-duzo http_access deny LAN2 za-duzo http_access deny LAN3 za-duzo http_access deny LAN4 za-duzo http_access allow LAN http_access allow LAN1 http_access allow LAN2 http_access allow LAN3 http_access allow LAN4 http_reply_access allow all http_access deny all icp_access deny all cache_effective_user proxy cache_effective_group proxy reload_into_ims on ipcache_size 16384 ipcache_low 90 ipcache_high 95 fqdncache_size 0 cache_swap_low 95% cache_swap_high 98% tcp_outgoing_address xx.xx.xx.xx LAN tcp_outgoing_address xx.xx.xx.xx LAN1 tcp_outgoing_address xx.xx.xx.xx LAN2 tcp_outgoing_address xx.xx.xx.xx LAN3 tcp_outgoing_address xx.xx.xx.xx LAN4 udp_incoming_address xx.xx.xx.xx LAN udp_incoming_address xx.xx.xx.xx LAN1 udp_incoming_address xx.xx.xx.xx LAN2 udp_incoming_address xx.xx.xx.xx LAN3 udp_incoming_address xx.xx.xx.xx LAN4 delay_pools 7 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_access 1 allow admins delay_access 1 allow domena_lokalna delay_access 1 deny all delay_class 2 2 delay_parameters 2 3000000/3000000 -1/-1 delay_access 3 allow google_maps !ruch_ciezki !uploady !stream delay_access 2 allow ruch_lekki !ruch_ciezki !uploady !stream delay_access 3 allow allegro_zdjecia !ruch_ciezki !uploady !stream delay_access 2 deny all delay_class 3 2 delay_parameters 3 80000/80000 20000/20000 delay_access 3 allow ruch_ciezki !uploady !stream delay_access 3 deny all delay_class 4 2 delay_parameters 4 4000000/4000000 4000000/4000000 delay_access 1 allow stream !uploady delay_access 1 deny all delay_class 5 2 delay_parameters 5 70000/70000 15000/15000 delay_access 5 allow !noc uploady delay_access 5 deny all delay_class 6 2 delay_parameters 6 70000/70000 16000/16000 delay_access 6 allow noc uploady delay_access 6 deny all delay_class 7 2 delay_parameters 7 640000/640000 200000/200000 delay_access 7 allow all #czy zph jest czy nie ma nie widac roznicy #zph_tos_local 8 #zph_tos_peer 0 #zph_tos_parent off |
Strona 1 z 1 | Strefa czasowa UTC+2godz. |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |